Glossary

Welcome to the official NowSecure Glossary. This repo contains key mobile security terms and mobile platform terms to enable clear communication and a common understanding of security definitions regarding mobile apps.

A

Address space layout randomization (ASLR): A security feature introduced in iOS 4.3 that randomizes how an app is loaded and maintained in memory.

Android application package (APK) file: The file format used for installing software on the Android operating system. The file appears in .apk file extension format.

Automatic Reference Counting (ARC): A memory management system that handles the reference count of objects automatically at compile time.

App Transport Security (ATS): An iOS feature that forces mobile apps to connect to back-end servers using HTTPS, instead of HTTP, to encrypt data in transit.

B

Binary: A mobile app released to public app stores or internal enterprise app stores in .apk or .ipa formats.

C

Common Vulnerability Scoring System (CVSS): The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response.

Common Weakness Enumeration (CWE): A unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems.

Containerization: Storing encrypted data on a mobile device within an encrypted storage “container” separate from other data and apps on the device.

D

Defect: A flaw introduced into code during development. A defect may create a vulnerability if the defect potentially exposes sensitive data, makes the app unstable, or makes it possible to compromise the app.

Dynamic Application Security Testing (DAST): Dynamic testing tools actually exercise an app’s functions as a user might to identify risky behavior and security flaws in the app in its running state.

F

Forensic analysis: Forensic analysis locates artifacts left behind by an app after it runs on a device. Artifacts might include username and other personally identifiable information, and artifacts may be found on the device, in app folders, in system log files, within the iOS Keychain, or on an SD card.

Frida: An open source tool where an analyst can inject JavaScript snippets into native Windows, Mac, Linux, iOS, and Android apps. Created and maintained by NowSecure researcher Ole André V. Ravnås and sponsored by NowSecure.

I

Incident response: An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).

Interactive Application Security Testing (IAST): Interactive analysis combines aspects of dynamic and static techniques to analyze an app from within, like static analysis, during runtime, like dynamic analysis. Combining both approaches can help tune testing to make it more accurate and offer deeper code coverage.

Interprocess communication (IPC): A set of programming interfaces that allow a programmer to coordinate activities among different program processes that can run concurrently in an operating system.

iOS App Store Package (IPA) file: An iOS application archive file which stores an iOS app. The file appears in .ipa file extension format.

J

Jailbreaking: Specific to the iOS platform, a term for removing the security mechanisms put forth by the manufacturer and carrier that prevent unauthorized code from running on the device.

L

Leaky apps: Mobile applications that transmit or store private user information in an insecure manner

M

Man-in-the-middle (MITM) attack: A MITM attack occurs when a hacker inserts his computer between your device and the web server it’s trying to communicate with. Mobile apps need to communicate with remote servers in order to function, and most use HTTPS to do so securely. MITM attacks are remote in nature and thus present tremendous risk to personal data.

N

National Information Assurance Partnership (NIAP): A national program for developing protection profiles, evaluation methodologies, and policies that will ensure achievable, repeatable, and testable requirements.

O

Obfuscation: The process of making it more difficult for a malicious user to examine the inner-workings of the app to prevent reverse engineering.

OWASP Mobile Top 10: A de facto security standard to help teams develop more secure code, fix flaws earlier in the development lifecycle, and reduce the vulnerability of an app before it’s deployed.

P

Phishing: The process of acquiring personal information such as usernames, passwords, and credit card details by masquerading as a trusted entity through e-mail spoofing.

R

Radare: A reverse-engineering framework used to analyze and inspect iOS and Android binaries. Created and maintained by NowSecure researcher Sergi Álvarez and sponsored by NowSecure.

Rooting: Specific to the Android platform, a term for when users alter or replace system applications and settings, or run specialized apps that require administrator-level permissions. Like jailbreaking, it can result in the exposure of sensitive data.

S

Santoku: A virtual machine that contains a number of open source tools specific to mobile application security testing, forensics and data recovery, and malware analysis.

Static Application Security Testing (SAST): Static testing tools comb through an app’s source code, without executing the app, to identify potential security flaws. Some tools analyze source code, and others can also evaluate the app in a compiled format by evaluating the binary.

T

Touch ID: A common method for allowing a user to authenticate to and unlock their device without entering a passcode. Often, Touch ID refers to the use of a user’s fingerprint for unlocking their device.

U

Universal Unique Identifier (UUID): A unique ID for mobile devices assigned at the time of manufacture for identification purposes.

V

Vulnerability: A defect that can be exploited to compromise the confidentiality, integrity, or availability of a mobile app.